Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How to perform logical OR with condition for an action in a IAM policy

0

So I can't seem to find this but what I want to do is create a condition on an action in a policy based on tags.

Either the tag aws:RequestTag/owner OR the tag aws:ResourceTag/owner MUST be present AND be equal to "${aws:PrincipalTag/owner}" :

{
    "Sid": "AllowUnlessOwnedBySomeoneElse",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            'aws:RequestTag/owner': "${aws:PrincipalTag/owner}",
            'aws:ResourceTag/owner': "${aws:PrincipalTag/owner}"
        }
    }
}

The problem is that as it is current written above, this says that both the aws:RequestTag/owner AND the tag aws:ResourceTag/owner tags would be present which cant be true.

I need is so that at least one of those two tags is present and that they be equal to ${aws:PrincipalTag/owner} .

How do I accomplish this?

  • Kallu EXPERTE
    vor 2 Jahren

    As this snippet looks somewhat familiar :-) I should comment why there is AND, not OR. Condition is to state your API request must have the same owner=value as the resource does. Original version had StringEqualsIfExists to allow those cases where owner -tag isn't present or doesn't make sense. I'm not sure what would be the use-case for OR, as your requestTag comparision will always be true if you have tagged the IAM user or role you are using?

Themen
Sicherheit, Identität & Konformität
Tags
Sicherheit, Identität & KonformitätAWS Identity and Access Management
Sprache
English
chrisjd20
gefragt vor 2 Jahren12074 Aufrufe
2 Antworten
3
Akzeptierte Antwort

One way to approach this problem could be as follows :

{
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": { "StringEquals":  'aws:RequestTag/owner': "${aws:PrincipalTag/owner}" }
     },
     {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": { "StringEquals":  'aws:ResourceTag/owner': "${aws:PrincipalTag/owner}" }
     }
     ]
}

You can have multiple "Allow" constructs in a single IAM statement. Either of these could allow the action.

Dennis_A
beantwortet vor 2 Jahren
  • chrisjd20
    vor 2 Jahren

    Oh duh lol Why didnt I think of this.

1

Create two separate statements:

{
    "Sid": "AllowUnlessOwnedBySomeoneElse",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            "aws:RequestTag/owner": "${aws:PrincipalTag/owner}",
        }
    }
},
{
    "Sid": "AllowUnlessOwnedBySomeoneElse2",
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
    "Condition": {
        "StringEquals": {
            "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
        }
    }
}

Make sure you also have a look at the page that details which services do and don't support ABAC as well.

AWS
Matt
beantwortet vor 2 Jahren
profile picture
EXPERTE
Kallu
überprüft vor 2 Monaten
  • chrisjd20
    vor 2 Jahren

    THanks, I should have thought of this.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt